Search Redirect

December 20, 2009 at 08:27:00
Specs: Windows 7, AMD Athlon Dual Core QL-60 1.9/3.00GB
Hello,
I have the what seems to be very common problem where all of my search results are getting redirected to unwanted ads and search results. I have tried a number of different removal tools with no success. I was hoping somone here could help me get rid of this problem. Thank you in advance.
Dan

See More: Search Redirect

Report •


#1
December 20, 2009 at 08:30:58
Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply. It may take 3 to 4 post to get the entire log to us.

Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

#2
December 20, 2009 at 09:02:58
Hey,
When I ran RIST I got this error.

AutoIt Error
Line-1:
Error: Variable used without being declared

I have a log file for it however, and here it is

Logfile of random's system information tool 1.06 (written by
random/random)
Run by Dan at 2009-12-20 12:04:32
Microsoft Windows 7 Ultimate
System drive C: has 12 GB (19%) free of 63 GB
Total RAM: 2814 MB (60% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:38 PM, on 12/20/2009
Platform: Unknown Windows (WinNT 6.01.2972)
MSIE: Internet Explorer v8.00 (8.00.7068.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\V0470Mon.exe
C:\Program Files\Common Files\Research In Motion\Auto
Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common
Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\AIM\aim.exe
C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chro
me.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chro
me.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chro
me.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chro
me.exe
C:\Users\Dan\Desktop\RSIT.exe
C:\Program Files\trend micro\Dan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-
FA578C2EBDC3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-
4D22-B7F9-0BBC1D38A37E} -
C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-
4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-
435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program
Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [V0470Mon.exe]
C:\Windows\V0470Mon.exe
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program
Files\Common Files\Research In Motion\Auto
Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Updater] "C:\Program
Files\Google\Google Updater\GoogleUpdater.exe" -systray -
startup
O4 - HKCU\..\Run: [Google Update]
"C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.
exe" /c
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common
Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d
locale=en-US
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar]
%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin]
C:\Windows\System32\mctadmin.exe (User 'LOCAL
SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar]
%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
(User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin]
C:\Windows\System32\mctadmin.exe (User 'NETWORK
SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program
Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-
8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-
7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-
3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F}
(System Requirements Lab) -
http://www.nvidia.com/content/Drive...
bin/sysreqlab_nvd.cab
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F}
(System Requirements Lab Class) - http://srtest-
cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sys
reqlabdetect.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-
A375-3CB6248B04CD} -
C:\PROGRA~1\MICROS~2\Office12\GRA32A~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google -
C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -
Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA
Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service
(SBSDWSCService) - Safer Networking Ltd. - C:\Program
Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) -
PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) -
PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) -
SafeNet, Inc. - C:\Program Files\Common Files\SafeNet
Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server
(SentinelProtectionServer) - SafeNet, Inc - C:\Program
Files\Common Files\SafeNet Sentinel\Sentinel Protection
Server\WinNT\spnsrvnt.exe
O23 - Service: Steam Client Service - Valve Corporation -
C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 7021 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-
498630497-1755084911-1948968680-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-
498630497-1755084911-1948968680-1000UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-
E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-
27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-
6F6E-4B53-A66E-4E65E497C8C0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{72853161-
30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper -
C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL [2006-
10-26 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-
7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program
Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
[2009-12-19 761840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-
A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program
Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Run]
"SynTPEnh"=C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe [2008-03-28 1045800]
"GrooveMonitor"=C:\Program Files\Microsoft
Office\Office12\GrooveMonitor.exe [2006-10-26 31016]
"Adobe Reader Speed Launcher"=C:\Program
Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27
35696]
"V0470Mon.exe"=C:\Windows\V0470Mon.exe [2007-06-04
32768]
"BlackBerryAutoUpdate"=C:\Program Files\Common
Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
[2009-11-19 623960]
"SunJavaUpdateSched"=C:\Program
Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"Google Updater"=C:\Program Files\Google\Google
Updater\GoogleUpdater.exe [2009-12-19 160752]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre
ntVersion\Run]
"Google
Update"=C:\Users\Dan\AppData\Local\Google\Update\Google
Update.exe [2009-04-07 133104]
"ISUSPM"=C:\Program Files\Common
Files\InstallShield\UpdateService\ISUSPM.exe [2008-10-24
206112]
"Aim"=C:\Program Files\AIM\aim.exe [2009-09-16 3634024]
"SUPERAntiSpyware"=C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-12-
16 2002160]

C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup
LimeWire On Startup.lnk - C:\Program
Files\LimeWire\LimeWire.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-
09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-
52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GR46
9A~1.DLL [2006-10-26 2210608]
"{5AE067D3-9AFB-48E0-853A-
EBB7F4A000DA}"=C:\Program
Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\s
ecurityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\AppInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\AppMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\Base]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\Boot Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\Boot file system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\CryptSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\DcomLaunch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\EFS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\EventLog]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\File system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\HelpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\KeyIso]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\Netlogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\NTDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\PCI Configuration]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\PlugPlay]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\PNP Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\Power]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\Primary disk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\ProfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\RpcEptMapper]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\RpcSs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\sacsvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\SCSI Class]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\sermouse.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\SWPRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\System Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\TabletInputService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\TBS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\TrustedInstaller]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\VDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\vga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\vgasave.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\vmms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\volmgr.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\volmgrx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\WinMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-
444553540000}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-
00C04F79DEAF}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-
08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-
08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-
00A0C90F57DA}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-
00C04FA372A7}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-
F68D7D41B0E6}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\AppInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\AppMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Base]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\BFE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Boot Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Boot file system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\bowser]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Browser]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\CryptSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\DcomLaunch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\dfsc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Dhcp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\DnsCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Dot3Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Eaphost]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\EFS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\EventLog]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\File system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\HelpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\IKEEXT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\ipnat.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\KeyIso]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\LanmanServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\LanmanWorkstation]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\LmHosts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Messenger]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\MPSDrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\MPSSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\mrxsmb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\mrxsmb10]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\mrxsmb20]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\NativeWifiP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\NDIS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\NDIS Wrapper]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\ndiscap]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Ndisuio]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\NetBIOS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\NetBIOSGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\NetBT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\NetDDEGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Netlogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\NetMan]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\netprofm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\NetworkProvider]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\NlaSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Nsi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\nsiproxy.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\NTDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\PCI Configuration]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\PlugPlay]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\PNP Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\PNP_TDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\PolicyAgent]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Power]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Primary disk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\ProfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\rdbss]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\rdpencdd.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\rdsessmgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\RpcEptMapper]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\RpcSs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\sacsvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\SCardSvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\SCSI Class]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\sermouse.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\SharedAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Streams Drivers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\SWPRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\System Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\TabletInputService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\TBS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Tcpip]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\TDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\TrustedInstaller]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\VaultSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\VDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\vga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\vgasave.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\vmms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\volmgr.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\volmgrx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\WinMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\Wlansvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{36FC9E60-C465-11CF-8056-
444553540000}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E965-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E967-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E969-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E96A-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E96B-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E96F-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E972-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E973-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E974-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E975-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E977-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E97B-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E97D-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{4D36E980-E325-11CE-BFC1-
08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{50DD5230-BA8A-11D1-BF5D-
0000F805F530}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{533C5B84-EC70-11D2-9505-
00C04F79DEAF}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{6BDD1FC1-810F-11D0-BEC7-
08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{71A27CDD-812A-11D0-BEC7-
08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{745A17A0-74D3-11D0-B6FE-
00A0C90F57DA}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{D48179BE-EC20-11D1-B6B8-
00C04FA372A7}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\network\{D94EE5D8-D189-4994-83D2-
F68D7D41B0E6}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=0
"ConsentPromptBehaviorUser"=3
"EnableLUA"=0
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\
sharedaccess\parameters\firewallpolicy\standardprofile\authori
zedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\
sharedaccess\parameters\firewallpolicy\domainprofile\authoriz
edapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1
months======

2009-12-20 11:36:56 ----D---- C:\rsit
2009-12-20 11:36:56 ----D---- C:\Program Files\trend micro
2009-12-20 03:23:30 ----SD---- C:\ComboFix
2009-12-20 03:21:25 ----A---- C:\Windows\SWXCACLS.exe
2009-12-19 22:43:34 ----D---- C:\SDFix
2009-12-19 22:15:25 ----A---- C:\Windows\zip.exe
2009-12-19 22:15:25 ----A---- C:\Windows\SWREG.exe
2009-12-19 22:15:25 ----A---- C:\Windows\PEV.exe
2009-12-19 22:15:25 ----A---- C:\Windows\NIRCMD.exe
2009-12-19 22:15:25 ----A---- C:\Windows\MBR.exe
2009-12-19 22:15:25 ----A---- C:\Windows\grep.exe
2009-12-19 22:15:24 ----A---- C:\Windows\SWSC.exe
2009-12-19 22:15:24 ----A---- C:\Windows\sed.exe
2009-12-19 22:14:44 ----D---- C:\Windows\ERDNT
2009-12-19 22:12:06 ----D---- C:\Qoobox
2009-12-19 21:50:43 ----A---- C:\Windows\ntbtlog.txt
2009-12-19 04:49:22 ----A----
C:\Windows\system32\lsdelete.exe
2009-12-19 01:41:07 ----D---- C:\fixwareout
2009-12-19 01:34:42 ----D---- C:\Documents and
Settings\releaseengineer\Application Data\Microsoft
2009-12-19 01:34:39 ----D---- C:\Program Files\Lavasoft
2009-12-19 01:31:52 ----D---- C:\Program Files\Spyware
Doctor
2009-12-19 01:31:52 ----D---- C:\Program Files\Common
Files\PC Tools
2009-12-19 01:09:28 ----A----
C:\Windows\system32\javaws.exe
2009-12-19 01:09:28 ----A---- C:\Windows\system32\javaw.exe
2009-12-19 01:09:28 ----A---- C:\Windows\system32\java.exe
2009-12-19 01:07:59 ----D---- C:\Program
Files\SUPERAntiSpyware
2009-12-19 00:35:28 ----D---- C:\Program Files\Malwarebytes'
Anti-Malware
2009-12-18 23:59:16 ----D---- C:\Program Files\TrendMicro
2009-12-18 16:59:51 ----D---- C:\Program Files\Spybot -
Search & Destroy
2009-12-18 16:52:52 ----D---- C:\Program Files\Alwil Software
2009-12-18 15:21:15 ----D---- C:\Live! Cam
2009-12-18 14:13:14 ----D---- C:\Program Files\Arcade Music
Box
2009-12-17 18:49:37 ----D---- C:\Program Files\TagRename
2009-12-16 00:16:42 ----D---- C:\Program Files\SWiSH
Jukebox2
2009-12-15 16:16:57 ----D---- C:\Program Files\Jukebox
Arcade
2009-12-15 15:18:35 ----A---- C:\jukeboxDebugLog.txt
2009-12-11 10:06:00 ----D---- C:\mamesrc
2009-12-11 00:53:11 ----D---- C:\Program Files\Common
Files\SWF Studio
2009-12-10 23:46:55 ----A----
C:\Windows\system32\nvhdap32.dll
2009-12-10 23:46:55 ----A----
C:\Windows\system32\nvapo32v.dll
2009-12-10 23:45:44 ----D---- C:\Windows\system32\AGEIA
2009-12-10 23:45:43 ----D---- C:\Program Files\AGEIA
Technologies
2009-12-10 23:45:23 ----D---- C:\Program Files\Common
Files\Wise Installation Wizard
2009-12-10 23:45:12 ----D---- C:\Program Files\NVIDIA
Corporation
2009-12-10 23:43:25 ----A----
C:\Windows\system32\OpenCL.dll
2009-12-10 23:43:25 ----A----
C:\Windows\system32\nvwgf2um.dll
2009-12-10 23:43:24 ----A----
C:\Windows\system32\nvoglv32.dll
2009-12-10 23:43:24 ----A----
C:\Windows\system32\nvencodemft.dll
2009-12-10 23:43:24 ----A----
C:\Windows\system32\nvdecodemft.dll
2009-12-10 23:43:23 ----A----
C:\Windows\system32\nvcuvid.dll
2009-12-10 23:43:23 ----A----
C:\Windows\system32\nvcuvenc.dll
2009-12-10 23:43:23 ----A----
C:\Windows\system32\nvcuda.dll
2009-12-10 23:43:21 ----A----
C:\Windows\system32\nvcompiler.dll
2009-12-10 23:43:21 ----A----
C:\Windows\system32\nvcod178.dll
2009-12-10 23:43:21 ----A---- C:\Windows\system32\nvcod.dll
2009-12-10 23:43:19 ----D---- C:\NVIDIA
2009-12-10 16:14:43 ----A---- C:\Windows\vbaddin.ini
2009-12-10 16:13:29 ----A---- C:\Windows\ODBC.INI
2009-11-25 00:42:47 ----SHD---- C:\found.000

======List of files/folders modified in the last 1
months======

2009-12-20 12:04:34 ----D---- C:\Windows\Temp
2009-12-20 12:03:23 ----D---- C:\Windows\system32\spool
2009-12-20 12:03:18 ----D---- C:\Windows
2009-12-20 11:58:53 ----D---- C:\Windows\Tasks
2009-12-20 11:57:10 ----D---- C:\Windows\system32\Tasks
2009-12-20 11:56:11 ----D---- C:\Windows\Minidump
2009-12-20 11:36:56 ----RD---- C:\Program Files
2009-12-20 11:36:51 ----D---- C:\Windows\Prefetch
2009-12-19 23:05:44 ----D---- C:\Windows\System32
2009-12-19 23:05:42 ----D---- C:\Windows\system32\drivers
2009-12-19 22:58:51 ----HD---- C:\ProgramData
2009-12-19 22:45:23 ----D---- C:\Windows\system32\config
2009-12-19 22:31:04 ----D---- C:\Windows\AppPatch
2009-12-19 22:31:02 ----D---- C:\Program Files\Common Files
2009-12-19 22:29:43 ----D---- C:\Windows\system32\wbem
2009-12-19 22:22:09 ----A----
C:\Windows\system32\PerfStringBackup.INI
2009-12-19 22:22:08 ----D---- C:\Windows\inf
2009-12-19 22:15:55 ----D---- C:\Windows\system32\catroot2
2009-12-19 22:09:38 ----D---- C:\Windows\system32\LogFiles
2009-12-19 21:50:41 ----D---- C:\Program Files\WinMount3
2009-12-19 01:38:11 ----D---- C:\Windows\system32\catroot
2009-12-19 01:38:10 ----DC----
C:\Windows\system32\DRVSTORE
2009-12-19 01:35:35 ----SHD---- C:\Windows\Installer
2009-12-19 01:35:33 ----SHD---- C:\Config.Msi
2009-12-19 01:23:22 ----D---- C:\Program Files\Google
2009-12-19 01:09:27 ----D---- C:\Program Files\Java
2009-12-18 22:08:17 ----D---- C:\Program Files\WBFS
2009-12-18 20:44:49 ----D---- C:\Program Files\Steam
2009-12-18 15:33:36 ----D---- C:\Program Files\SmartDraw
2008
2009-12-18 15:26:04 ----D---- C:\Program Files\Bonjour
2009-12-18 14:09:29 ----RSD---- C:\Windows\Fonts
2009-12-18 14:05:56 ----D---- C:\Program Files\GameHouse
Games Collection
2009-12-18 13:55:52 ----D---- C:\Windows\winsxs
2009-12-18 13:40:13 ----D---- C:\Program Files\Common
Files\Adobe
2009-12-18 13:39:33 ----D---- C:\Program Files\CCleaner
2009-12-11 00:20:00 ----D---- C:\Emulators
2009-12-10 23:47:12 ----D----
C:\Windows\system32\DriverStore
2009-12-10 23:32:32 ----D---- C:\Program
Files\SystemRequirementsLab
2009-12-10 23:32:29 ----D---- C:\Windows\Downloaded
Program Files
2009-12-10 16:14:46 ----RSD---- C:\Windows\assembly
2009-12-10 16:14:17 ----D---- C:\Program Files\Common
Files\microsoft shared
2009-12-10 02:54:16 ----D---- C:\Program Files\Inkscape
2009-12-06 14:37:37 ----D---- C:\Program Files\Research In
Motion
2009-12-06 14:36:33 ----D---- C:\Program Files\Common
Files\Research In Motion
2009-11-27 22:59:48 ----A---- C:\Windows\entpack.ini
2009-11-25 00:37:12 ----D---- C:\Program Files\Adobe


Report •

#3
December 20, 2009 at 09:04:04
And the GMER log is as follows

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-20 11:54:38
Windows 6.1.7068
Running: i0nmjoy2.exe; Driver:
C:\Users\Dan\AppData\Local\Temp\pfldapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys
(PC Tools KDS Core Driver/PC Tools)
ZwCreateProcess [0x8396FCDE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys
(PC Tools KDS Core Driver/PC Tools)
ZwCreateProcessEx [0x8396FED0]
SSDT \SystemRoot\system32\drivers\PCTCore.sys
(PC Tools KDS Core Driver/PC Tools)
ZwCreateUserProcess [0x839700D8]
SSDT \SystemRoot\system32\drivers\PCTCore.sys
(PC Tools KDS Core Driver/PC Tools)
ZwTerminateProcess [0x8396F984]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware
Abstraction Layer DLL/Microsoft Corporation)
8303CAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware
Abstraction Layer DLL/Microsoft Corporation)
8303C104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware
Abstraction Layer DLL/Microsoft Corporation)
8303C3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware
Abstraction Layer DLL/Microsoft Corporation)
83024634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware
Abstraction Layer DLL/Microsoft Corporation)
83024898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware
Abstraction Layer DLL/Microsoft Corporation)
8303C1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware
Abstraction Layer DLL/Microsoft Corporation)
8303C958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware
Abstraction Layer DLL/Microsoft Corporation)
8303C6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware
Abstraction Layer DLL/Microsoft Corporation)
8303CF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware
Abstraction Layer DLL/Microsoft Corporation)
8303D1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSetInformationTransaction + 11A1
82C4B8C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2
82C6C282 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...]
{LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR
AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 330
82C7045C 8 Bytes [DE, FC, 96, 83, D0, FE, 96, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 368
82C70494 4 Bytes [D8, 00, 97, 83]
.text ntkrnlpa.exe!RtlSidHashLookup + 7BC
82C708E8 4 Bytes [84, F9, 96, 83]
.text peauth.sys
A3E31C9D 28 Bytes [44, A7, 87, 07, 05, 08, FE, ...]
.text peauth.sys
A3E31CC1 28 Bytes [44, A7, 87, 07, 05, 08, FE, ...]
PAGE peauth.sys
A3E37B9B 72 Bytes [20, F7, BD, D7, 5B, 82, F5, ...]
PAGE peauth.sys
A3E37BEC 111 Bytes [AE, A6, FB, 06, 0D, 94, DA, ...]
PAGE peauth.sys
A3E37E20 101 Bytes [49, AE, 2B, 75, 4A, 73, 62, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[676]
ole32.dll!CoCreateInstance
76998058 5 Bytes JMP 0090000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\SafeNet
Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[1840]
@ C:\Windows\system32\ADVAPI32.dll
[KERNEL32.dll!GetProcAddress] [757CA37D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\SafeNet
Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[1840]
@ C:\Windows\system32\USER32.dll
[KERNEL32.dll!GetProcAddress] [757CA37D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\SafeNet
Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[1840]
@ C:\Windows\system32\GDI32.dll
[KERNEL32.dll!GetProcAddress] [757CA37D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\SafeNet
Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[1840]
@ C:\Windows\system32\SHLWAPI.dll
[KERNEL32.dll!GetProcAddress] [757CA37D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\SafeNet
Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[1840]
@ C:\Windows\system32\CRYPT32.dll
[KERNEL32.dll!GetProcAddress] [757CA37D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\SafeNet
Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[1840]
@ C:\Windows\system32\WININET.dll
[KERNEL32.dll!GetProcAddress] [757CA37D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2564] @
C:\Windows\system32\USER32.dll
[KERNEL32.dll!GetProcAddress]
[757CA37D] C:\Windows\system32\apphelp.dll (Application
Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2564] @
C:\Windows\system32\GDI32.dll
[KERNEL32.dll!GetProcAddress]
[757CA37D] C:\Windows\system32\apphelp.dll (Application
Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2564] @
C:\Windows\system32\SHLWAPI.dll
[KERNEL32.dll!GetProcAddress]
[757CA37D] C:\Windows\system32\apphelp.dll (Application
Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2564] @
C:\Windows\system32\WININET.dll
[KERNEL32.dll!GetProcAddress]
[757CA37D] C:\Windows\system32\apphelp.dll (Application
Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2564] @
C:\Windows\system32\ADVAPI32.dll
[KERNEL32.dll!GetProcAddress]
[757CA37D] C:\Windows\system32\apphelp.dll (Application
Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2564] @
C:\Windows\system32\CRYPT32.dll
[KERNEL32.dll!GetProcAddress]
[757CA37D] C:\Windows\system32\apphelp.dll (Application
Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0
Wdf01000.sys (Kernel Mode Driver Framework
Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1
Wdf01000.sys (Kernel Mode Driver Framework
Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp
Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1
fvevol.sys (BitLocker Drive Encryption Driver/Microsoft
Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1
rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000058
halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft
Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2
fvevol.sys (BitLocker Drive Encryption Driver/Microsoft
Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2
rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3
fvevol.sys (BitLocker Drive Encryption Driver/Microsoft
Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3
rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0
862C5618

---- Registry - GMER 1.0.15 ----

Reg
HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Param
eters\Keys\00158315a310
Reg
HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Param
eters\Keys\00158315a310@002106d5309b
0x24 0x7F 0x76 0x5F ...
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC@u0
0xD4 0xC3 0x97 0x02 ...
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC@h0
0
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC@hdf12
0x84 0x80 0xE1 0x12 ...
Reg
HKLM\SYSTEM\ControlSet002\services\BTHPORT\Paramete
rs\Keys\00158315a310 (not active ControlSet)
Reg
HKLM\SYSTEM\ControlSet002\services\BTHPORT\Paramete
rs\Keys\00158315a310@002106d5309b
0x24 0x7F 0x76 0x5F ...
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC@u0
0xD4 0xC3 0x97 0x02 ...
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC@h0
0
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC@hdf12
0x84 0x80 0xE1 0x12 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys
suspicious modification

---- EOF - GMER 1.0.15 ----


Report •

Related Solutions

#4
December 20, 2009 at 09:51:22

I don't see an antivirus program running, to continue you need to install one if possible.

You can download the free version of AVG antivirus at this link:
AVG Free Antivirus

Update it once you get it installed.

We will need to disable the antivirus program to run some scans. To do this click the AVG icon in the systray (bottom right of your screen)> then click exit.

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 17 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.

Uninstall the older version of ComboFix that you have. To do so go to start> run type in ComboFix /Uninstall (note the space after combofix is needed) then press ok.

Remember..your Avast Antivirus or ever what AV you have , Spybot's TeaTimer, Spyware Doctor, SafeNet Sentinel, and Ad-Aware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.


Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#5
December 20, 2009 at 10:29:43
Regarding the anti virus, I had Avast installed up until last
night when I ran a kapersky online scan. I just haven't
reinstalled it yet.

Now my issue is this. I have uninstalled the older versions of
Java and installed the new one with no problem. I am running
into an issue with combofix. Whenever I click on the
combofix.exe file that is saved to the desktop, a little progress
bar shows up and fills all the way. After that however, it's as if
the program isn't loaded. All of my protection methods are
disabled. Any ideas?


Report •

#6
December 20, 2009 at 10:47:59
Give it a while the newer version is slower. It may take 10 minutes to run.

Report •

#7
December 20, 2009 at 11:16:08
I just waited a good 20 minutes for combofix to run and nothing
happened. Any ideas?

Report •

#8
December 20, 2009 at 11:30:46
Did the Combofix uninstaller run ok?

Run the following tool but please do not restart the computer until we ask you to.

1. Download TDSSKiller and save it to your Desktop.
2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


4. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
5. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Report •

#9
December 20, 2009 at 11:38:23
Yeah the combofix unistaller ran fine. I just ran the TDSSKiller
and here are the results.

Host Name: DAN-PC
OS Name: Microsoft Windows 7 Ultimate
OS Version: 6.1.7068 N/A Build 7068
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Dan
Registered Organization:
Product ID: 00428-321-7001051-70485
Original Install Date: 4/7/2009, 1:41:11 AM
System Boot Time: 12/20/2009, 1:55:14 PM
System Manufacturer: Hewlett-Packard
System Model: Compaq Presario CQ50 Notebook
PC
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 17 Model 3 Stepping 1
AuthenticAMD ~988 Mhz
BIOS Version: Hewlett-Packard F.31, 10/17/2008
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US &
Canada)
Total Physical Memory: 2,814 MB
Available Physical Memory: 1,803 MB
Virtual Memory: Max Size: 5,629 MB
Virtual Memory: Available: 4,647 MB
Virtual Memory: In Use: 982 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\DAN-PC
Hotfix(s): N/A
Network Card(s): 3 NIC(s) Installed.
[01]: NVIDIA nForce Networking Controller
Connection Name: Local Area
Connection
Status: Media disconnected
[02]: Broadcom 802.11g Network Adapter
Connection Name: Wireless Network
Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.104
[02]: fe80::f53e:30c2:ada1:e4c8
[03]: Microsoft Virtual WiFi Miniport
Adapter
Connection Name: Wireless Network
Connection 2
Status: Media disconnected
14:40:40:339 2344 ForceUnloadDriver: NtUnloadDriver error
2
14:40:40:342 2344 ForceUnloadDriver: NtUnloadDriver error
2
14:40:40:345 2344 ForceUnloadDriver: NtUnloadDriver error
2
14:40:40:348 2344 main: Driver KLMD successfully
dropped
14:40:40:401 2344 main: Driver KLMD successfully loaded
14:40:40:401 2344
Scanning Registry ...
14:40:40:402 2344 ScanServices: Searching service
UACd.sys
14:40:40:403 2344 ScanServices: Open/Create key error 2
14:40:40:403 2344 ScanServices: Searching service
TDSSserv.sys
14:40:40:403 2344 ScanServices: Open/Create key error 2
14:40:40:403 2344 ScanServices: Searching service
gaopdxserv.sys
14:40:40:403 2344 ScanServices: Open/Create key error 2
14:40:40:403 2344 ScanServices: Searching service
gxvxcserv.sys
14:40:40:403 2344 ScanServices: Open/Create key error 2
14:40:40:403 2344 ScanServices: Searching service
MSIVXserv.sys
14:40:40:403 2344 ScanServices: Open/Create key error 2
14:40:40:411 2344 UnhookRegistry: Kernel module file
name: C:\Windows\system32\ntkrnlpa.exe, base addr:
82C08000
14:40:40:413 2344 UnhookRegistry: Kernel local addr:
1570000
14:40:40:413 2344 UnhookRegistry:
KeServiceDescriptorTable addr: 16D89C0
14:40:40:428 2344 UnhookRegistry: KiServiceTable addr:
15CD320
14:40:40:428 2344 UnhookRegistry: NtEnumerateKey
service number (local): 74
14:40:40:428 2344 UnhookRegistry: NtEnumerateKey local
addr: 17E9BCF
14:40:40:439 2344 KLMD_OpenDevice: Trying to open
KLMD device
14:40:40:439 2344 KLMD_GetSystemRoutineAddressA:
Trying to get system routine address ZwEnumerateKey
14:40:40:439 2344 KLMD_GetSystemRoutineAddressW:
Trying to get system routine address ZwEnumerateKey
14:40:40:440 2344 KLMD_ReadMem: Trying to
ReadMemory 0x82C3E5E5[0x4]
14:40:40:440 2344 UnhookRegistry: NtEnumerateKey
service number (kernel): 74
14:40:40:440 2344 KLMD_ReadMem: Trying to
ReadMemory 0x82C654F0[0x4]
14:40:40:440 2344 UnhookRegistry: NtEnumerateKey real
addr: 82E81BCF
14:40:40:440 2344 UnhookRegistry: NtEnumerateKey calc
addr: 82E81BCF
14:40:40:440 2344 UnhookRegistry: No SDT hooks found
on NtEnumerateKey
14:40:40:440 2344 KLMD_ReadMem: Trying to
ReadMemory 0x82E81BCF[0xA]
14:40:40:440 2344 UnhookRegistry: No splicing found on
NtEnumerateKey
14:40:40:448 2344
Scanning Kernel memory ...
14:40:40:449 2344 KLMD_OpenDevice: Trying to open
KLMD device
14:40:40:450 2344
KLMD_GetSystemObjectAddressByNameA: Trying to get
system object address by name \Driver\Disk
14:40:40:450 2344
KLMD_GetSystemObjectAddressByNameW: Trying to get
system object address by name \Driver\Disk
14:40:40:450 2344 DetectCureTDL3: \Driver\Disk
PDRIVER_OBJECT: 863BD448
14:40:40:450 2344 DetectCureTDL3:
KLMD_GetDeviceObjectList returned 1 DevObjects
14:40:40:450 2344 DetectCureTDL3: 0 Curr stack
PDEVICE_OBJECT: 863BF6B8
14:40:40:450 2344 KLMD_GetLowerDeviceObject: Trying
to get lower device object for 863BF6B8
14:40:40:450 2344 DetectCureTDL3: 0 Curr stack
PDEVICE_OBJECT: 863BF020
14:40:40:450 2344 KLMD_GetLowerDeviceObject: Trying
to get lower device object for 863BF020
14:40:40:450 2344 DetectCureTDL3: 0 Curr stack
PDEVICE_OBJECT: 8560D618
14:40:40:451 2344 KLMD_GetLowerDeviceObject: Trying
to get lower device object for 8560D618
14:40:40:451 2344 DetectCureTDL3: 0 Curr stack
PDEVICE_OBJECT: 8627D030
14:40:40:451 2344 KLMD_GetLowerDeviceObject: Trying
to get lower device object for 8627D030
14:40:40:451 2344 KLMD_ReadMem: Trying to
ReadMemory 0x8627D030[0x38]
14:40:40:451 2344 DetectCureTDL3: DRIVER_OBJECT
addr: 865127F8
14:40:40:451 2344 KLMD_ReadMem: Trying to
ReadMemory 0x865127F8[0xA8]
14:40:40:451 2344 KLMD_ReadMem: Trying to
ReadMemory 0x862B1098[0x38]
14:40:40:451 2344 KLMD_ReadMem: Trying to
ReadMemory 0x8629E670[0xA8]
14:40:40:451 2344 KLMD_ReadMem: Trying to
ReadMemory 0x8629E620[0x208]
14:40:40:451 2344 DetectCureTDL3: DRIVER_OBJECT
name: \Driver\atapi, Driver Name: atapi
14:40:40:451 2344 DetectCureTDL3: IrpHandler (0) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (1) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (2) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (3) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (4) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (5) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (6) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (7) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (8) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (9) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (10) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (11) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (12) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (13) addr:
862E5618
14:40:40:452 2344 DetectCureTDL3: IrpHandler (14) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (15) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (16) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (17) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (18) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (19) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (20) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (21) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (22) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (23) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (24) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (25) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: IrpHandler (26) addr:
862E5618
14:40:40:453 2344 DetectCureTDL3: All IRP handlers
pointed to one addr: 862E5618
14:40:40:454 2344 KLMD_ReadMem: Trying to
ReadMemory 0x862E5618[0x400]
14:40:40:454 2344 TDL3_IrpHookDetect:
CheckParameters: 4, FFDF0308, 313, 101, 3, 89
14:40:40:454 2344 Driver "atapi" Irp handler infected by
TDSS rootkit ... 14:40:40:455 2344 KLMD_WriteMem:
Trying to WriteMemory 0x862E567D[0xD]
14:40:40:455 2344 cured
14:40:40:456 2344 KLMD_ReadMem: Trying to
ReadMemory 0x862E54BF[0x400]
14:40:40:456 2344 TDL3_StartIoHookDetect:
CheckParameters: 7, FFDF0308, 334, 1
14:40:40:456 2344 Driver "atapi" StartIo handler infected by
TDSS rootkit ... 14:40:40:458 2344
TDL3_StartIoHookCure: Number of patches 1
14:40:40:458 2344 KLMD_WriteMem: Trying to
WriteMemory 0x862E55B6[0x6]
14:40:40:458 2344 cured
14:40:40:459 2344 TDL3_FileDetect: Processing driver:
atapi
14:40:40:460 2344 TDL3_FileDetect: Parameters:
C:\Windows\system32\drivers\atapi.sys,
C:\Windows\system32\Drivers\tsk_atapi.sys,
SYSTEM\CurrentControlSet\Services\atapi,
system32\Drivers\tsk_atapi.sys
14:40:40:460 2344 TDL3_FileDetect: Processing driver file:
C:\Windows\system32\drivers\atapi.sys
14:40:40:460 2344 KLMD_CreateFileW: Trying to open file
C:\Windows\system32\drivers\atapi.sys
14:40:40:489 2344 File
C:\Windows\system32\drivers\atapi.sys infected by TDSS
rootkit ... 14:40:40:490 2344 TDL3_FileCure: Processing
driver file: C:\Windows\system32\drivers\atapi.sys
14:40:40:490 2344 KLMD_CreateFileW: Trying to open file
C:\Windows\system32\drivers\atapi.sys
14:40:40:500 2344 TDL3_FileCure: Dumping cured buffer to
file C:\Windows\system32\Drivers\tsk_atapi.sys
14:40:40:546 2344 TDL3_FileCure: Image path
(system32\Drivers\tsk_atapi.sys) was set for service
(SYSTEM\CurrentControlSet\Services\atapi)
14:40:40:546 2344 TDL3_FileCure: KLMD_PendCopyFileW
(C:\Windows\system32\Drivers\tsk_atapi.sys,
C:\Windows\system32\drivers\atapi.sys) success
14:40:40:547 2344 will be cured on next reboot
14:40:40:562 2344
Completed

Results:
14:40:40:563 2344 Infected objects in memory:
2
14:40:40:564 2344 Cured objects in memory:
2
14:40:40:565 2344 Infected objects on disk:
1
14:40:40:565 2344 Objects on disk cured on reboot:
1
14:40:40:566 2344 Objects on disk deleted on reboot:
0
14:40:40:567 2344 Registry nodes deleted on reboot:
0
14:40:40:568 2344


Report •

#10
December 20, 2009 at 11:56:23
Looks like the computer rebooted on it own, did it?

Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.

Navigate to and make sure this file exist:

C:\Windows\system32\drivers\atapi.sys


Report •

#11
December 20, 2009 at 12:01:52
No the computer did not reboot itself, nor did I reboot it. And I do
have that atapi.sys file in that folder.

Report •

#12
December 20, 2009 at 12:18:09
Restart the computer and let me know if you are still being redirected after the restart.

Report •

#13
December 20, 2009 at 12:27:10
Alright, I restarted the computer and everything seems to be
working normally. Thank you for all the help. I really appreciate it.
Have a safe and happy holiday season. Thank you again

Dan


Report •

#14
December 20, 2009 at 12:34:40
A little clean-up to do.

Be sure to restart all your protection asap.

Delete RSIT, GMER, TDSSKiller from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#15
December 20, 2009 at 12:49:31
Alright, I did all of that and I just wanted to say thank you again.
So thanks.

Report •

#16
December 20, 2009 at 13:37:44
You are very welcome.

Report •


Ask Question